Cisco Pix and ACS

Trying to get a pix (6.3(3)) to work with CSACS 3.3 using command
authorization. When I turn the authorization command on on the pix
all commands fail, even through they are set up to permit them in the
ACS. Another problem that I have is this; Is there a way to have a
user automatically drop into enable more or have a different enable
password. What I'm trying to do is to setup a couple of users that
can only perform a short list of commands like ping and show X etc.
Any insite on this would be very much appreciated.

Advertisements

Yes, what you're asking for is definitely possible. I had a similar config
that permitted certain users to execute only certain commands. You will
need to assign users to groups in ACS and permit the desired commands at the
group level, or configure each user individually. You specify which
commands are permitted and which are denied in a fairly confusing manner.
If you don't see the command authorization section in your user/group
config, make sure it is turned on in the ACS settings.

As for all commands failing, that usually means the PIX is unable to
communicate with the ACS server. Is there another firewall in between? Is
the security key correct between the PIX and the ACS? Does the ACS show
failed or passed logins from the PIX? You may also need to permit level 15
command authorization in the ACS user config.

I hope some of this helps. I know I didn't get very specific, but it's been
a while since I configured it.

Matt

"Trippbit" <> wrote in message
news:...
> Trying to get a pix (6.3(3)) to work with CSACS 3.3 using command
> authorization. When I turn the authorization command on on the pix
> all commands fail, even through they are set up to permit them in the
> ACS. Another problem that I have is this; Is there a way to have a
> user automatically drop into enable more or have a different enable
> password. What I'm trying to do is to setup a couple of users that
> can only perform a short list of commands like ping and show X etc.
> Any insite on this would be very much appreciated.
>
> Thanks,
> -Brian

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!